In modern society, increasing number of people use Internet banking, Internet shopping, and engage in e-commerce activities. In doing so, they have to login with a user ID and password. However, these fixed user ID and password can be easily stolen by criminals using spyware, hacking techniques, phishing website, etc. Also, criminals reveal that protective measures such as card number and card holder's name of a credit card or fixed password are not enough. Criminals may gain access to the information and use these fixed information to access customer's online account illegally, to forge a credit card or clone an ATM card.
To solve problems associated with a fixed password, some banks have issued password generators to their customers who have Internet banking accounts. The most popular password generator, known as SecurID token, is developed by RSA Security Inc. The working principle of SecurID token as follows: A SecurID token generates a pseudo random number as a varying password every 30 (or 60) seconds according to a program. The host computer also generates same varying password every 30 seconds with the same program at same time in the customer's account. When the customer logs-in for Internet banking, he/she submits the password shown on SecurID token. If the password submitted by the customer is identical to the one generated by host computer, the customer is admitted to his/her account. Varying-password generators provide high security for internet banking, as it is impossible to predict the password without the program. Even if a varying password is stolen, it is useless as the varying password is valid for only a few minutes after it is generated and it can only be used once.
However, there are security deficiencies and other disadvantages for a normal password generator, such as SecurID token. Firstly, it is unable to tackle phishing. It only allows bank to verify the customer, but customers are unable to verify if the website they login is fake. There exists a risk for customers and banks if criminals stole customer login information and varying password using a phishing website and instantly use them to login to the bank's website and access the customer's account.
Secondly, banks issue SecurID token only for online transactions (Internet banking) but not to tackle credit card forgery or ATM card cloning.
Thirdly, the size of SecurID token is not small enough hence it is inconvenient for customers to carry more than two SecurID tokens. However, people normally have more than two accounts at different banks.
U.S. Pat. No. 7,051,929 B2 proposes a secure credit card having a daily changing security number. The secure credit card contains a processor, key or keypad, battery, display window and a program download port. The processor is loaded with a predetermined program so that the processor can generate date and a daily renewed security number that can be shown on the display window. The security number is the function of the date and their relationship is defined by the predetermined program. The computer of the credit card company keeps this predetermined program and can compute the security number of the date using this predetermined program. The security number of the date computed by the credit card company is identical to the security number of the date shown on the display window of the secure credit card. So that the validity of the credit card and its transaction can be verified by the credit card company based on the cardholder's name, card number and the security number of the date.
Although this secure credit card can prevent credit card from being forged, it still has a safety deficiency. For example, the criminals can use fake websites (phishing sites) or trojans to steal the information and security number of a secure credit card and use them to make illegal payment instantly.
It is our objective to provide a two-varying-password generator. Unlike a normal varying-password generator which produces only one varying password at a certain time interval, the two-varying-password generator produces two varying passwords of different digit lengths and different time intervals according to two algorithms or programs respectively. Therefore, even if the password were intercepted by criminals, they can't use this password as it expires after a few minutes or had already been used. Furthermore, it not only allows bank to authenticate customers, but also allows customers to verify whether the bank website which they are accessing is fake or not. The two-varying-password generator also can be applied to tackle credit card forgery and ATM card cloning. Also, host computer is added with very low computation load by each customer. This means that annual fee for each customer is negligible. A two-varying-password generator also has very low computation load since most of the time it is in sleeping mode. It can be made in very slim size as only a button-size battery is enough to support its 5-year life span.